Saturday, September 23, 2006

At what point did Microsoft completely lose touch with reality? No no...not when they thought the Internet was a passing fad, or when BG said we'd never need more the 640k RAM, or when they flip-flopped on a SQL backend for Exchange and kept the Jet db engine.I'm talking about Black Tuesday, Patch Tuesday...Microsoft's "that time of the month."Enough already. The MSIE VML vulnerability drives home three key points. 1) The shortcomings in MS product and code are likely to remain perpetual and inevitable.2) Bright, capable, well intended engineers will release their own patches in the hope of filling the gap until the next Patch Tuesday. Kudos to the Zeroday Emergency Response Team: ZERT3) MS needs to buck up, admit to the fact that they're far from perfect, work with the community to improve their code and react faster, and ultimately, BREAK THE 30 DAY PATCH CYCLE, when necessary. No 0-day vulns? Fine, but when one is made public, rally the troops, write the patch, and put it on the street.The Mozilla group is a great example. Firefox has been far from perfect, no doubt. But have you ever seen a three week delay between when the vulnerability is publicized and when their fix is released? Try three days. That's how you do it.

The more MS waits, the more soft spots are found in their code, the more reason they offer consumers to turn to other product. They lost me long ago, but what of the millions more they stand to lose? Is it so naive to believe that, by opening up a bit, and avoiding the uber-monolith mentality, Microsoft could vastly improve its image and market share?Case in point: I'm writing on the best piece of hardware I've ever met, a MacBook Pro.

ASJA Awards Prize Winning Article

Subscribe To HolisticInfoSec

About Me

Russ McRee works for Microsoft's Operating Systems Group (OSG). He writes toolsmith, a monthly column in ISSA Journal. Russ has spoken infosec events such Defcon, Black Hat, RSA,and FIRST and has published in the likes of Information Security, Linux Magazine, (IN)SECURE, and SysAdmin. As an advocate of a holistic approach to information security, Russ' website is holisticinfosec.org.
He also serves as a volunteer handler for the SANS Internet Storm Center.